Bug 1887664 (CVE-2020-25649)
| Summary: | CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kunjan Rathod <krathod> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, brian.stansberry, btofel, btotty, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dblechte, dcoleman, dfediuck, dkreling, dosoudil, drieden, eedri, eleandro, eparis, eric.wittmann, etirelli, ganandan, ggaughan, ggrzybek, gmalinko, gsmet, hbraun, hhorak, hhudgeon, ibek, iweiss, janstey, java-maint, java-maint-sig, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jjoyce, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jross, jschatte, jschluet, jstastny, jwon, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, lzap, mburns, mgoldboi, michal.skrivanek, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, nmoumoul, nstielau, nwallace, pantinor, pdrozd, pgallagh, pjindal, pmackay, ppalaga, probinso, pskopek, puntogil, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rstancel, rsvoboda, rsynek, sbiarozk, sbonazzo, sclewis, scohen, sdaley, sd-operator-metering, sdouglas, sguilhen, sherold, slinaber, smaestri, snikolov, sokeeffe, sponnaga, sthorger, swoodman, tom.jenkinson, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind-2.11.0, jackson-databind-2.10.5.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-22 20:21:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1887779, 1888130, 1888374, 1888490, 1888491, 1888578, 1888643, 1888644, 1888645, 1888646, 1888647, 1889246, 1910494 | ||
| Bug Blocks: | 1881251, 2014197 | ||
|
Description
Kunjan Rathod
2020-10-13 06:30:52 UTC
External References: https://github.com/FasterXML/jackson-databind/issues/2589 Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1887779] Marking Red Hat Jboss Fuse 6 and Red Hat Fuse 7 as having a moderate impact, both versions distribute affected versions of jackson-databind, however its use in both Fuse 6 and Fuse 7 is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Marking Red Hat Camel K as having a moderate impact, although Camel K distributes affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used. Marking Red Hat Jboss AMQ 6 as having a moderate impact, although AMQ 6 distribute affected versions of jackson-databind, its use in both AMQ 6 and as earlier noted, Fuse 6, is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used. This vulnerability is out of security support scope for the following products: * Red Hat JBoss AMQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4312 https://access.redhat.com/errata/RHSA-2020:4312 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25649 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:4402 https://access.redhat.com/errata/RHSA-2020:4402 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:4401 https://access.redhat.com/errata/RHSA-2020:4401 Mitigation: There is currently no known mitigation for this flaw. This issue has been addressed in the following products: Vert.x 3.9.4 Via RHSA-2020:4379 https://access.redhat.com/errata/RHSA-2020:4379 Marking Red Hat Integration Service Registry as having a low impact, although service registry uses affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342 This issue has been addressed in the following products: Red Hat Data Grid 7.3.8 Via RHSA-2020:5410 https://access.redhat.com/errata/RHSA-2020:5410 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:0381 https://access.redhat.com/errata/RHSA-2021:0381 Statement: * Red Hat Enterprise Linux 8 ships a vulnerable version of jackson-databind in the pki-deps:10.6 module. pki-deps:10.6 is for pki-core dependencies, but pki-core does not use the vulnerable DOMDeserializer class and thus has been set to low impact. Future updates may include fixed version of jackson-databind. * Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind code. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. * Red Hat Virtualization ships a vulnerable version of jackson-databind, however the vulnerable DOMDeserializer class is not used in the code, therefore reducing impact to low. * Red Hat OpenShift Container Platform (OCP) ships a vulnerable version of jackson-databind, but in the affected containers the DOMDeserializer class is not used. Additionally access to the containers is restricted to authenticated users only (OpenShift OAuth authentication) reducing the severity of this vulnerability to Low. In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix. * Red Hat Satellite ships affected version of jackson-databind through Candlepin, however, product code does not use DOMDeserializer class and jackson-databind in a vulnerable way. Thus impact has been set to low. A future release may update jackson-databind to a fixed version. * Red Hat Single Sign-On (RH-SSO) ships affected version of jackson-databind, however, none of the product code is using the affected class (DOMDeserializer). Thus impact has been set to low. RH-SSO will consume the fixed artifact from EAP in the next CP. Further to comment#33 and marking Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact we believe a low impact is more appropriate and better represents Red Hat's specification of a low impact flaw - https://access.redhat.com/security/updates/classification Which describes low impact vulnerabilities as "These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited". In the case of jackson-databind `DomDeserializer` actually being called it we believe those unlikely circumstances to be *) Camel components making use of jackson-databind do not expose this functionality *) There are specialised components in camel to parse and deserialize DOM such as camel-jacksonxml which relies on jackson-dataformat-xml, jackson-dataformat-xml is not vulnerable to this XXE flaw *) We believe the usage pattern is itself unlikely and can find no further evidence of implicit use ```java ObjectMapper mapper = new ObjectMapper(); Document doc = mapper.readValue("\"<badxml/>\"", Document.class); ``` This issue has been addressed in the following products: Red Hat Integration - Camel K - Tech-Preview 3 Via RHSA-2021:0811 https://access.redhat.com/errata/RHSA-2021:0811 This issue has been addressed in the following products: Red Hat AMQ Streams 1.7.0 Via RHSA-2021:1260 https://access.redhat.com/errata/RHSA-2021:1260 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1429 https://access.redhat.com/errata/RHSA-2021:1429 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039 This issue has been addressed in the following products: RHPAM 7.11.0 Via RHSA-2021:2475 https://access.redhat.com/errata/RHSA-2021:2475 This issue has been addressed in the following products: RHDM 7.11.0 Via RHSA-2021:2476 https://access.redhat.com/errata/RHSA-2021:2476 |